]> rtime.felk.cvut.cz Git - coffee/buildroot.git/blob - package/wavpack/0006-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
projects / coffee / buildroot.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
wavpack: add upstream security fixes
[coffee/buildroot.git] / package / wavpack / 0006-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
1 From 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d Mon Sep 17 00:00:00 2001
2 From: David Bryant <david@wavpack.com>
3 Date: Tue, 24 Apr 2018 17:27:01 -0700
4 Subject: [PATCH] issue #33, sanitize size of unknown chunks before malloc()
5
6 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
7 ---
8  cli/dsdiff.c | 9 ++++++++-
9  cli/riff.c   | 9 ++++++++-
10  cli/wave64.c | 9 ++++++++-
11  3 files changed, 24 insertions(+), 3 deletions(-)
12
13 diff --git a/cli/dsdiff.c b/cli/dsdiff.c
14 index c016df9..fa56bbb 100644
15 --- a/cli/dsdiff.c
16 +++ b/cli/dsdiff.c
17 @@ -279,7 +279,14 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
18          else {          // just copy unknown chunks to output file
19  
20              int bytes_to_copy = (int)(((dff_chunk_header.ckDataSize) + 1) & ~(int64_t)1);
21 -            char *buff = malloc (bytes_to_copy);
22 +            char *buff;
23 +
24 +            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
25 +                error_line ("%s is not a valid .DFF file!", infilename);
26 +                return WAVPACK_SOFT_ERROR;
27 +            }
28 +
29 +            buff = malloc (bytes_to_copy);
30  
31              if (debug_logging_mode)
32                  error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
33 diff --git a/cli/riff.c b/cli/riff.c
34 index de98c1e..7bddf63 100644
35 --- a/cli/riff.c
36 +++ b/cli/riff.c
37 @@ -286,7 +286,14 @@ int ParseRiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
38          else {          // just copy unknown chunks to output file
39  
40              int bytes_to_copy = (chunk_header.ckSize + 1) & ~1L;
41 -            char *buff = malloc (bytes_to_copy);
42 +            char *buff;
43 +
44 +            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
45 +                error_line ("%s is not a valid .WAV file!", infilename);
46 +                return WAVPACK_SOFT_ERROR;
47 +            }
48 +
49 +            buff = malloc (bytes_to_copy);
50  
51              if (debug_logging_mode)
52                  error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
53 diff --git a/cli/wave64.c b/cli/wave64.c
54 index 591d640..fa928a0 100644
55 --- a/cli/wave64.c
56 +++ b/cli/wave64.c
57 @@ -241,7 +241,14 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
58          }
59          else {          // just copy unknown chunks to output file
60              int bytes_to_copy = (chunk_header.ckSize + 7) & ~7L;
61 -            char *buff = malloc (bytes_to_copy);
62 +            char *buff;
63 +
64 +            if (bytes_to_copy < 0 || bytes_to_copy > 4194304) {
65 +                error_line ("%s is not a valid .W64 file!", infilename);
66 +                return WAVPACK_SOFT_ERROR;
67 +            }
68 +
69 +            buff = malloc (bytes_to_copy);
70  
71              if (debug_logging_mode)
72                  error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
73 -- 
74 2.11.0
75